T1055.009

Proc Memory

Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. Proc memory injection involves enumerating the memory of a process via the /proc filesystem (<code>/proc/[pid]</code>) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running p...

Linux

Detections

Sources

Threat Actors

BY SOURCE

2sigma

PROCEDURES (2)

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

DETECTIONS (2)

ASLR Disabled Via Sysctl or Direct Syscall - Linux

sigmahigh

Potential Linux Process Code Injection Via DD Utility

sigmamedium